Safety and the Future of Software Supply Chain Security
I have big and exciting news to share - PyUp.io is now Safety Cybersecurity!
This is not just a change in name; it's a big shift for our company: growth beyond Python, new focus and priorities, and the introduction of two big product launches. I’ll share more about those changes and products in the coming days, but before that, I wanted to share the why behind our re-orientation and re-branding.
Software Supply Chain Security in 2023
Software supply chain security has gone through some big shifts over the last few years. To name a few:
- The number of vulnerabilities that impact software today has grown significantly over the last few years and continues to grow at an accelerating rate across all ecosystems. As a result, software engineering, data, and security teams are drowning in vulnerabilities. The good news is that most of these vulnerabilities don’t actually pose a threat to your systems (more on this later).
- The industry-standard tools and systems, such as CVEs and their CVSS severity scores, are no longer up to the task of keeping software systems secure. CVEs represent a fraction of the total vulnerabilities that open your software to risk and attack, are slow to be posted, and can be inaccurate. Vulnerability CVSS severity scores are not an effective tool for determining vulnerabilities risk - those which are a real risk to your system and which are not. The dependency security landscape has changed, and the methods required for finding, analyzing and prioritizing vulnerabilities need to evolve too.
- There are new and different vectors and targets of attack, with development machines increasingly being the target of attackers through typosquatting and other malicious packages. Running static scans in testing or CI/CD stage does not protect a team or company from these attacks. Secure software and secure software development in 2023 requires developer security throughout the development lifecycle, especially in development environments.
Safety's Key Operating Principles
Safety's new focus is driven by these realities and challenges, summarized in three key principles that will drive our decision-making, focus, and direction:
Focus on vulnerabilities that actually matter
Vulnerability noise is one of the biggest issues in software development and security today - teams are overwhelmed by the number of vulnerabilities impacting projects with no effective way to prioritize and fix all of them. At the same time, only a fraction of these are actual risks. Safety now analyzes multiple signals and data sources to pinpoint the vulnerabilities that actually threaten to your systems. Using exploitability data, reachability data and other project-specific data Safety can now reduce vulnerability noise by up to 90%, and then effectively prioritize the remaining vulnerabilities that do matter. Teams that use Safety fix what matters, prioritize with confidence, and get back to building.
Proactive, end-to-end supply chain security
Securing software at the CI/CD stage by scanning a single snapshot in time is not enough to protect and secure software systems and the organizations behind them. Developers and development environments specifically need effective and proactive defence against vulnerabilities and malicious packages, such as typosquatting attacks. Securing software during the entire software lifecycle - from development through to production - is being built into the core of Safety. Teams that use Safety are protected and security-informed throughout the development process.
Developer first - simplified secure software development
Making our tools easy to use and developer-friendly is a central theme and focus. From browser-based authentication for Safety CLI, to one-click project setups, to seamless integration into any development workflow, we’re making our tools even easier to use for developers. The easier it is to be secure and the easier it is to implement security best practices, the more secure software will be. Safety makes building secure software simple for data, engineering, and security teams of all sizes.
Beyond Python - Java, .NET, Javascript, and more
Most organizations using Python also rely on other programming languages and ecosystems. We're already the leader in Python dependency with Safety DB. We're taking everything we've learned from Python in detecting and analyzing vulnerabilities and applying it to Java, .NET, JavaScript, and other ecosystems. Safety will be your single software supply-chain security solution across all languages and ecosystems.
Welcome to Safety
Our new brand and home is the final surface layer component of these big and fundamental changes we’re implementing to ensure we keep your software supply chain and software systems secure. We've been working hard on a huge update to our Safety CLI scanner, and Safety Platform - which we'll cover in our upcoming posts.
All of this wouldn’t be possible without my incredible team. I want to express my massive thanks to the Safety team for making all of this possible. Their hard work and dedication have made this rebrand and product launch possible. They're the genius behind the innovative solutions we offer, and the exciting direction we're heading.
I'm really excited to embark on this new chapter. To anyone working in software, data, or security, I'd love to connect and learn how you're tackling your software supply chain security.
Welcome to Safety!